www.belgium.be Logo of the federal government

Warning: Actively Exploited Vulnerabilities in Cisco Adaptive Security Appliance and Firepower Threat Defense Software. Patch Immediately!

Reference: 
Advisory #2024-60
Version: 
1.0
Affected software: 
Cisco Adaptive Security Appliance and Firepower Threat Defense Software
Type: 
Web Services Denial of Service (DoS), Command Injection, and Persistent Local Code Execution Vulnerability
CVE/CVSS: 
  • CVE-2024-20353: 8.6 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2024-20358: 6.0 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
  • CVE-2024-20359: 6.0 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

Sources

Cisco Systems Inc.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

NIST

https://nvd.nist.gov/vuln/detail/CVE-2024-20353
https://nvd.nist.gov/vuln/detail/CVE-2024-20358
https://nvd.nist.gov/vuln/detail/CVE-2024-20359

Risks

On April 24, 2024, Cisco Systems Inc. published information about three vulnerabilities in their Cisco Adaptive Security Appliance and Firepower Threat Defense Software (CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359). At the same time, the company released patches for the affected software.

Two of the vulnerabilities, CVE-2024-20353 and CVE-2024-20359, are confirmed by Cisco Systems Inc. to have been exploited in the wild. A separate blog post by Cisco Talos further details the exploits that would be linked to a campaign - dubbed "ArcaneDoor" - by a new and presumably state-sponsored actor ("UAT4356" aka "STORM-1849") with a clear focus on espionage.

CVE-2024-20353, the vulnerability with the highest CVSS score of 8.6, allows an unauthenticated remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition and a high impact on availability. Cisco Talos reported abuse of this forced reboot to install a persistent backdoor. In addition the reboot causes a loss of forensic evidence in case of compromise.

Exploit of CVE-2024-20358 and CVE-2024-20359 - both 6.0 MEDIUM - could have a high impact on confidentiality and integrity.

Description

CVE-2024-20353 is caused by incomplete error checking when parsing an HTTP header. An attacker sending a crafted HTTP request to a web server on a vulnerable device could cause a denial of service (DoS).

CVE-2024-20358 exists because of improper sanitisation of backup file content at restore time. An attacker could exploit the vulnerability locally by restoring a crafted backup file to an affected device which would allow the execution of arbitrary commands on the underlying Linux operating system as root.

CVE-2024-20359 exists because of improper validation of a file when it is read from system flash memory. An attacker could exploit the vulnerability locally by copying a crafted file to the disk0: file system of an affected device which would allow the attacker to execute arbitrary code on the affected device after the next reload of the device. The injected code could persist across reboots.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

  • Any gaps in logging or any recent unexpected reboots of these appliances should be treated as suspicious activity that warrants further investigation.
  • The CCCS cyber security advisory provides a listing of Cisco ASA alert codes to review for potential malicious activity.
  • The articles linked in the reference section provide additional Indicators of Compromise (IoCs).
  • The Cisco Talos report provides additional guidance when performing Cisco ASA Forensic Investigation.
  • It is advised to check for the presence of Line Dancer prior to checking for the presence of Line Runner, as a device reboot will remove traces of Line Dancer.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-runner.pdf

https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns